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Abstract A variety of logical frameworks support the use of higher-order abstract 
syntax (HOAS) in representing formal systems. Although these systems seem su¬ 
perficially the same, they differ in a variety of ways; for example, how they handle 
a context of assumptions and which theorems about a given formal system can 
be concisely expressed and proved. Our contributions in this paper are three-fold: 
1) we develop a common infrastructure for representing benchmarks for systems 
supporting reasoning with binders, 2) we present several concrete benchmarks, 
which highlight a variety of different aspects of reasoning within a context of as¬ 
sumptions, and 3) we design an open repository ORBI (Open challenge problem 
Repository for systems supporting reasoning with Binders). Our work sets the 
stage for providing a basis for qualitative comparison of different systems. This 
allows us to review and survey the st ate of the a rt, which we do in great detail for 
four systems in Part 2 of this paper ( Feltv etldl . [2015h . It also allows us to outline 
future fundamental research questions regarding the design and implementation 
of meta-reasoning systems. 


Keywords Logical Frameworks • Higher-Order Abstract Syntax • Context 
Reasoning ■ Benchmarks 


1 Introduction 


In recent years the PoplMark challenge ( Avdemir et all . 120051) has stimulated 
considerable interest in mechanizing the meta-theory of programming languages 
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and it has played a substantial role in the wide-spread use of proof assistants to 
prove properties, for example, of parts of a compiler or of a language design. The 
PoplMark challenge concentrated on summarizing the state of the art, identifying 
best practices for (programming language) researchers embarking on formalizing 
language definitions, and identifying a list of engineering improvements to make 
the use of proof assistants (more) common place. While these are important ques¬ 
tions whose answers will foster the adoption of proof assistants by non-experts, it 
neglects some of the deeper fundamental questions: What should existing or future 
meta-languages and meta-reasoning environments look like and what requirements 
should they satisfy? What support should an ideal meta-language and proof envi¬ 
ronment give to facilitate mechanizing meta-reasoning? How can its design reflect 
and support these ideals? 

We believe “good” meta-languages should free the user from dealing with te¬ 
dious bureaucratic details, so s/he is able to concentrate on the essence of a proof 
or algorithm. Ultimately, this means that users will mechanize proofs more quickly. 
In addition, since effort is not wasted on cumbersome details, proofs are more likely 
to capture only the essential steps of the reasoning process, and as a result, may be 
easier to trust. For instance, weakening is a typical a low-level lemma that is used 
pervasively (and silently) in a proof. Freeing the user of such details ultimately 
may also mean that the automation of such proofs is more feasible. 

One fundamental question when mechanizing formal systems and their meta¬ 
theory is how to represent variables and variable binding structures. There is a 
wide range of answers to this question from using de Bruijn indices to locally 
nameless representations, and nominal encodings, etc. For a partial view of the 
held see the papers collect ed in the Journal o f Autom ated Reasoning’s special issue 
dedicated to PoplMark (Pierce and Weirichl . 1201211 a nd the one on “Abstraction, 


2012h . 


Substitution and Naming” ( Fernandez and IJrbanl . 

Encoding object languages and logics (OLs) via higher-or der abstract syntax 
(HOA S), sometimes referred to as “lambda-tree syntax” ( Miller and Palamidessil 
Il999l) . where we utilize meta-level binders to model object-level binders is in our 
opinion the most advanced technology. FIOAS avoids implementing common al¬ 
though notoriously tricky routines dealing with variables, such as capture-avoiding 
substitution, renaming, and fresh name generation. Compared to other techniques, 
HOAS leads to very concise and elegant encodings and provides significant sup¬ 
port for such an endeavor. Concentrating on encoding binders, however, neglects 
another important and fundamental aspect: the support for hypothetical and para¬ 
metric reasoning, in other words reasoning within a context of assumptions. Con¬ 
sidering a derivation within a context is common place in programming language 
theory and leads to several natural questions: How do we model the context of 
assumptions? How do we know that a derivation is sensible within the scope of a 
context? Can we model the relationships between different contexts? Flow do we 
deal with structural properties of contexts such as weakening, strengthening, and 
exchange? How do we know assumptions in a context occur uniquely? Flow do we 
take advantage of the FIOAS approach to substitution? 

Even in systems supporting HOAS there is not a uniform answer to these 
questions. On one side of the spectrum we have systems that implement vari- 
ous depende ntly-tvped calculi. Such systems include the logical framework Twelf 


ous depen dentiy-typed calculi, bucn systems include tne logical iramework 1 we 
(ISchiirmann. 20091). the depende ntlv-typed fun ctional language Beluga (Pientk 


(scUurmann, 2UU9), tne dependentiy-typed lunctional language tseiuga (rif 
12008 ; Pientka and Dunfieldl . l2Qlol) , and Delphin ( Poswolskv and Schiirmannl 
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All these systems also provide, in various degrees, built-in support for reasoning 
modulo structural properties of a context of assumptions. 

On the other side there are systems based on a proof-theoretic foundation, 
which follow a two-level approach: they implement a specification logic (SL) in¬ 
side a higher-order logic or type theory. Hypothetical judgments of object lan¬ 
guages are modeled using implication in the SL and parametric judgments are 
handled via (generic) universal quantification. Contexts are commonly represented 
explicitly as lists or sets in the SL, and structural properties are established sep¬ 
arately as lemmas. For example substituting for an assumption is justified by 
appealing to the cut-admissibility lemma of the SL. These lemmas are not directly 
and intrinsically supported through the SL, but may be integrated into a sys¬ 
tem’s automated proving procedures, usually via tactics. S ystems foll owing t his 
philosophy are for instance t he two-level Hybrid system ( Momigliano et all . [2008: 
iFeltv and Momiglianol l2012h as imp lemented on top of Coq and Isabelle/HOL, 
and the Abella system ( OacekL l2008h . 

This paper, together with Part 2 (j Felty et 'a L l2015lh is a major extension of 
an earlier conference paper ( Feltv and PientkaL 20iciii ~. The contributions of the 
present paper are three-fold. First, we develop a common framework and in¬ 
frastructure for representing benchmarks for systems supporting reasoning with 
binders; in particular, we develop notation to view contexts as “structured se¬ 
quences” and classify contexts using schemas. Moreover, we abstractly charac¬ 
terize in a uniform way basic structural properties that many object languages 
satisfy, such as weakening, strengthening, and exchange. This lays the foundation 
for describing benchmarks and comparing different approaches to mechanizing 
OLs. Second, we propose several challenge problems that are crafted to highlight 
the differences between the designs of various meta-languages with respect to rea¬ 
soning with and within a context of assumptions, in v iew of their mechanization 
in a given proof assistant. In Part 2 of this paper ( Feltv et all l2015h . we carry out 
such a comparison on four systems: Twelf, Beluga, Hybrid, and Abella. Third, 
we discuss the design of ORBI (Open challenge problem Repository for systems 
supporting reasoning with Binders), an open repository for sharing benchmark 
problems based on the infrastructure that we have developed. Although ORBPs 
syntax is inspired by systems such as Twelf and Beluga, we do not commit to using 
a particular system, as we wish to retain the needed flexibility to be able to easily 
support translations to both type-theoretic and proof-theoretic approaches^ The 
common notation allows us to express the syntax of object languages that we wish 
to reason about, as well as the context schemas, the judgments and inference rules, 
and the statements of the benchmark theorems. We hope that ORBI will foster 
sharing of examples in the community and provide a common set of examples. 
We also see our benchmark repository as a place to collect and propose “open” 
challenge problems to push the development of meta-reasoning systems. 

The challenge problems also play a role in allowing us, as designers and devel¬ 
opers of logical frameworks, to highlight and explain how the design decisions for 
each individual system lead to differences in using them in practice. This means 
reviewing the state of the art, as well as outlining future fundamental research 
questions regarding the design and implementation of meta-reasoning systems, as 


1 A first step in this d irection is the translator for Hybrid, whose first version is presented 
in lHabli and Feltvl (I2013I I ■ 
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we discuss further in the companion paper ( Feltv et a I 1201 51. Additionally, our 
benchmarks aim to provide a better understanding of what practitioners should 
be looking for, as well as help them foresee what kind of problems can be solved 
elegantly and easily in a given system, and more importantly, why this is the case. 
Therefore the challenge problems provide guidance for users and developers in bet¬ 
ter comprehending differences and limitations. Finally, they serve as an excellent 
regression suite. 

This paper does not, of course, present 700 challenge problems. We start with a 
few and hope that others will contribute to the benchmark repository, implement 
these challenge problems, and further our understanding of the trade-offs involved 
in choosing one system over another for this kind of reasoning. 

The paper is structured as follows: In Sect. Owe motivate our definition of con¬ 
texts as “structured sequences,” which refines the standard view of contexts, and 
we describe generically and abstractly some context properties. Using this termi¬ 
nology we then present the benchmarks and their proofs in Sect. [3] In Sect. O we 
introduce ORBI and discuss how it provides HOAS encodings of the benchmarks in 
a uniform manner. We discuss related work in Sect.O before concluding in Sect.[G] 
Appendix lAl provides a quick reference guide to the benchmarks and Appendix iBl 
gives a complete example of an ORBI hie for a selection of the benchmark prob¬ 
lems. Full details about the challenge problems and their mechanization can be 
found at https://github.com/pientka/ORBI. The latter, as well as the present 
pape r, can be better appreciated by reading the companion paper ( Feltv et all 
12015 1. 


2 Contexts of Assumptions: Preliminaries and Terminology 


Reasoning with and within a context of assumptions is common when we prove 
meta-theoretic properties about object languages such as type systems or logics. 
Hence, how to represent contexts and enforce properties such as well-formedness, 
weakening, strengthening, exchange, uniqueness of assumptions, and substitution 
is a central issue once we mechanize such reasoning. 

As mentioned, proof environments supporting higher-order abst ract syntax 
differ in how they represent and model contexts and our comparison ( Feltv et all . 
[2015 1 to a large extent focuses on this issue. Here we lay down a common frame¬ 
work and notation for describing the syntax of object languages, inference rules 
and contexts by using different representative examples. In particular, we refine 
the standard view of contexts as sequences of assumptions and abstractly describe 
structural properties such as weakening and exchange satisfied by many object 
languages. Our description follows mathematical practice, in contrast to giving a 
fully formal account based on, for example, type theory. In fact, all the notions that 
we touch upon in this section, such as substitution, a-renanring, bindings, context 
schemas to name a few, can and have been generally treated in Beluga (see e.g., 
IPientkal . l2008h . However, we deliberately choose to base our description on math¬ 
ematical practice to make our benchmarks more accessible to a wider audience 
and so as not to force upon us one particular foundation. This infrastructure may 
be seen as a first step towards developing a formal translation between different 
foundations, i.e., a translation between Beluga’s type-theoretic foundation and the 
proof-theory underlying systems such as Hybrid or Abella. 
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2.1 Defining Well-formed Objects 


The first question that we face when defining an OL is how to describe well-formed 
objects. Consider the polymorphic lambda-calculus. Commonly the grammar of 
this language is defined using Backus-Naur form (BNF) as follows. 

Types A, B ::= a | arr A B | all a. A 

Terms M ::= x | lam x. M | app M\ M 2 | tlam a. M | tapp M A 


The grammar, however, does not capture properties of interest such as when a 
given term or type is closed. Alternatively, we can describe well-fo rmed types an d 
terms as judgments using axioms and inference rules following :Martin-Lof (1996 1, 
as popularized in prog ram ming l anguage theory by Pfenning’s Computation and 
Deduction notes (Pf enning . l200ll l. 

We start with an implicit-context version of the rules for well-formed types 
and terms that plays the part of the above BNF grammar, but is also significantly 
more expressive. To describe whether a type A or term M is well-formed we use 
two judgments: 


is_tp A 


and 


is_tm M 


whose formation rules are depicted in 


Fig. HI The rule for function types ( tp ar ) is unsurprising. The rule tp a i states that 
a type all a. A is well-formed if A is well-formed under the assumption that the 
variable a is also. We say that this rule is parametric in the name of the bound 
variable a —thus implicitly enforcing the usual eigenvariable condition, since bound 
variables can be a-renamed at will—and hypothetical in the name of the axiom 
(tp v ) stating the well-formedness of this type variable. In this two-dimensional 
representation, derived from Gentzen’s presentation of natural deduction, we do 
not have an explicit rule for variables: instead, for each type variable introduced 
by tPai we also introduce the well-formedness assumption about that variable, and 
we explicitly include names for the bound variable and axiom as parameters to 
the rule name. 


is_tp A 


is_tp a 


Type A is well-formed 
tp v 


is_tp A 

is_tp (all a. A) 




is.tm M 


is_tm x 


Term M is well-formed 
■ tm v 


is_tp A is_tp B 
is_tp (arr AB) 


tpar 


is_tp a 


tp v 


is_tm M 

is_tm (lam x. M) 


tm 


x,tm v 

l 


is.tm M 

is_tm (tlam a. M) 


tm 


cx,tp, 

tl 


is.tm M 1 is.tm M 2 

is.tm (app Mi M 2 ) 


is.tm M is.tp A 
is.tm (tapp M A) 


tm ta 


Fig. 1 Well-formed Types and Terms (implicit context) 
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While variables might occur free in a type given via the BNF grammar, the 
two-dimensional implicit-context formulation models more cleanly the scope of 
variables; e.g., a type is_tp (alia, arr a/3) is only meaningful in the context where 
we have the assumption is_tp /3. 

Following this judgmental view, we can also characterize well-formed terms: the 
rule for term application ( tm a ) is straightforward and the rule for type application 
(tmta) simply refers to the previous judgment for well-formed types since types 
are embedded in terms. The rules for term abstraction (tmi) and type abstraction 
(tmti) are again the most interesting. The rule tmi is parametric in the variable x 
and hypothetical in the assumption is_tm x\ similarly the rule tm t i is parametric 
in the type variable a and hypothetical in the assumption is_tp a. 

We emphasize that mechanizations of a given object language can use either 
one of these two representations, the BNF grammar or the judgmental implicit 
context formulation. However, it is important to understand how to move between 
these representations and the trade-offs and consequences involved. For example, 
if we choose to support the BNF-style representation of object languages in a 
proof assistant, we might need to provide basic predicates that verify whether a 
given object is closed; further we may need to reason explicitly about the scope of 
variables. HOAS-style proof assistants typically adopt the judgmental view provid¬ 
ing a uniform treatment for objects themselves (well-formedness rules) and other 
inference rules about them. 


2.2 Context Definitions 


Introducing the appropriate assumption about each variable is a general method¬ 
ology that scales to OLs accommodating much more expressive assumptions. For 
example, when we specify typing rules, we introduce a typing assumption that 
keeps track of the fact that a given variable has a certain type. This approach can 
also result in compact and elegant proofs. Yet, it is often convenient to present 
hypothetical judgments in a localized, form, reducing some of the ambiguity of the 
two-dimensional notation. We therefore introduce an explicit context for book¬ 
keeping, since when establishing properties about a given system, it allows us to 
consider the variable case(s) separately and to state clearly when considering closed 
objects, i.e., an object in the empty context. More importantly, while structural 
properties of contexts are implicitly present in the above presentation of inference 
rules (where assumptions are managed informally), the explicit context presen¬ 
tation makes them more apparent and highlights their use in reasoning about 
contexts. To contrast representation using explicit contexts to implicit ones and 
to highlight the differences, we re-formulate the earlier rules for well-formed types 
and terms given in Fig.[T]using explicit contexts in Sect. 12.41 As another example 
of using explicit contexts, we give the standard typing rules for the polymorphic 
lambda-calculus (see Sect. GH). The reader might want to skip ahead to get an 
intuition of what explicit contexts are and how they are used in practice. In the 
rest of this section, we first introduce terminology for structuring such contexts, 
and then describe structural properties they (might) satisfy. 

Traditionally, a context of assumptions is characterized as a se quence of for- 
mulas A \, A 2 ,..., A n listing its elements separated by commas ( Piercel . [2002; 
iGirard et all 19901) . However, we argue that this is not expressive enough to cap- 
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ture the structure present in contexts, especially when mechanizing OLs. In fact, 
there are two limitations from that point of view. 

First, simply stating that a context is a sequence of formulas does not charac¬ 
terize adequately and precisely what assumptions can occur in a context and in 
what order. For example, to characterize a well-formed type, we consider a type 
in a context <P a of type variables. To characterize a well-formed term, we must 
consider the term in a context <P a x that may contain type variables a and term 
variables x. 

Context <P a ::= ■ \ <P a , is_tp a 

@ax ■■= ■ | ’Pax, is-tp a | <P ax , is-tm x 

As a consequence, we need to be able to state in our mechanization when a given 
context satisfies being a well-formed context <P a or <Pax- In other words, the gram¬ 
mar for <P a and <P a x will give rise to a schema, which describes when a context is 
meaningful. Simply stating that a context is a sequence of assumptions does not 
allow us necessarily to distinguish between different contexts. 

Second, forming new contexts by a comma does not capture enough structure. 
For example, consider the typing rule for lambda-abstraction that states that 
lam x. M has type (arr C B), if assuming that a: is a term variable and x has type 
C, we can show that M has type B. Note that whenever we introduce assumptions 
x:C (read as “term variable x has type C”), we at the same time introduce the 
additional assumption that a; is a new term variable. This is indeed important, 
since from it we can derive the fact that every typing assumption is unique. Simply 
stating that the typing context is a list of assumptions x:C , as shown below in 
the first attempt, fails to capture that a: is a term variable, distinct from all other 
term variables. In fact, it says nothing about x. 

Typing context (attempt 1) <P ::= ■ \ <P,x:C 

The second attempt below also fails, because the occurrences of the comma have 
two different meanings. 

Typing context (attempt 2) <P ::= • | <P, is_tm x, x:C 

The comma between is_tm x,x:C indicates that whenever we have an assumption 
is_tm x, we also have an assumption x:C. These assumptions come in pairs and 
form one block of assumptions. On the other hand, the comma between <P and 
is_tm x, x:C indicates that the context <P is extended by the block containing 
assumptions is_tm x and x:C. 

Taking into account such blocks leads to the definition of contexts as structured 
sequences. A context is a sequence of declarations D where a declaration is a block 
of individual atomic assumptions separated by The binds tighter than 
We treat contexts as ordered, i.e., later assumptions in the context may depend on 
earlier ones, but not vice versa—this in contrast to viewing contexts as multi-sets. 

We thus introduce the following categories: 


Atom 

A 


Block of declarations 

D 

:= A \ D; A 

Context 

r 

:=-| r,D 

Schema 

s 

:=D s \D s +S 
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Just as types classify terms, a schema will classify meaningful structured se¬ 
quences. A schema consists of declarations D s , where we use the subscript s to 
indicate that the declaration occurring in a concrete context having schema S may 
be an instance of D s . We use + to denote the alternatives in a context schema. 

We can declare the schemas corresponding to the previous contexts, seen as 
structured sequences, as follows: 

S a '■'■= is-tp a 

S a x '■'■= is_tp a + is_tm x 

Sat ::= is_tp a + is_tm x; x:C 


We use the following notational convention for declarations and schemas: Lower 
case letters denote bound variables (eigenvariables), obeying the Barendregt vari¬ 
able convention; EV(F>) will denote the set of eigenvariables occurring in D. Upper 
case letters are used for “schematic” variables. Therefore, we can always rename 
the x in the declaration is_tm x; x:C and instantiate C. For example, the context 
is_tm y,y : nat, is_tp a, is_tm z; z: (arr a a) fits the schema S'atEI 

We say that a declaration D is well-formed if for every x £ EV(F>) there is 
an atom in D (notation A £ D) denoting the well-formedness judgment for x , 
which we generically refer to as is-wf x, with the proviso that is-wf x precedes 
its use in D; the meta-notation is-wf will be instantiated by an appropriate atom 
such as is_tm or is_tp. A schema is well-formed if and only if all its declarations 
are well-formed. For example, the schema S a t is well-formed since the x in x:C is 
declared by is_tm x appearing earlier in the same declaration. We will assume in 
the following that all schemas are such. 

More generally, we say that a concrete context F has schema S (F has_schema S ), 
if every declaration in F is an instance of some schema declaration D s in S. By 
convention, when we write Si to denote a context schema, F/ will denote a valid 
instance of Si, namely such that F; has_schema Si, where subscript l is used to 
denote the relationship between the schema and an instance of it. 


Schema Satisfaction 


F has_schema S 


F has_schema S D eS E V(F>) n EV(F) = 0 

has_schema S (F, D) has_schema S 


Block D of Declaration is valid 


D £ S 


D instance of D s D instance of D s 

D £ D, DeD s + S 


DeS 
D e D s + S 


Note that if D £ S, then it is by definition well-formed. The premise EV(F) fl 
EV(F) = 0 requires eigenvariables in different blocks in a context satisfying the 
schema to be distinct from each other. This constraint will always be satisfied by 
contexts that appear in proofs of judgments using our inference rules—again, see 

2 Although a schema does not appear to have an explicit binder, all the eigenvariables and 
schematic variables occurring are considered bound. In ORBI (see Sect. [1 the block keyword 
delineates the scope of eigenvariables and we use the convention that schematic variables 
are written using upper case letters. Beluga’s type theory provides a formal type-theoretic 
foundation for describing schemas where the scope of eigenvariables and schematic variables 
in a schema is enforced using £ and 77-types. 
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for example the inference rules in Sect. 12.41 We remark that a given context can in 
principle inhabit different schemas; for example the context is_tp ai,is_tp «2 has 
schema S a but also inhabits schemas S ax and S a t- 

Note that according to the given grammar for schemas, contexts contain only 
atomic assumptions. We could consider non-atomic assumptions; in fact, more 
complex assumptions are not only possible, but sometimes yield very compact 
and elegant specifications, as we touch upon in Sect. [6] However, to account for 
them, we would need to introduce a language for terms and formulas that we feel 
would detract from the goal at hand. 


2.3 Structural Properties of Contexts 

So far we have introduced terminology for describing objects in three different 
ways: using a BNF grammar, defining objects and rules via a two-dimensional 
implicit context, and using an explicit context containing structured sequences 
of assumptions following a given context schema. For the latter, we have not yet 
described the associated inference rules. Before we do (in Sect. 12.41 as mentioned), 
we introduce structural properties of explicit contexts generically and abstractly. 

We concentrate here on developing a common framework for describing object 
languages including structural properties they might satisfy. However, we empha¬ 
size that whether a given object language does admit structural properties such 
as weakening or exchange is a property that needs to be verified on a case-by-case 
basis. In the subsequent discussion and in all our benchmarks, we concentrate on 
examples satisfying weakening, exchange, and strengthening, i.e., assumptions can 
be used as often as needed, they can be used in any order, and certain assumptions 
will be known not to be needed. 

Our refined notion of context has an impact on structural properties of con¬ 
texts: e.g., weakening can be described by adding a new declaration to a context, 
as well as adding an element inside a block of declarations. We distinguish between 
structural properties of a concrete context and structural properties of all contexts 
of a given schema. For example, given the context schemas S a and S a x, we know 
that all concrete contexts of schema S a x can be strengthened to obtain a concrete 
context of schema S a . Dually, we can think of weakening a context of schema S a 
to a context of schema S ax ■ We introduce the operations rm and perm, where rm 
removes an element of a declaration, and perm permutes the elements within a 
declaration. 

Definition 1 (Operations on Declarations) 

— Let rm a : S —» S' be a total function taking a (well-formed) declaration D G S 
and returning a (well formed) declaration D G S' where D is D with A 
removed, if A £ D; otherwise D = D. 

— Let perm^ : S —¥ S' be a total function that permutes the elements of a (well- 
formed) declaration D G S according to n to obtain a (well formed) declaration 
D' G S'. 

Using these operations on declarations we state structural properties of dec¬ 
larations, later to be extended to contexts. These make no assumptions and give 
no guarantees about the schema of the context U, D and the resulting context 
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r,f(D) where / G {rrriA, perm^}. In fact, we often want to use these properties 
when P satisfies some schema S, but D does not yet fit S ; in this case, we apply 
an operation to D so that P, f(D) does satisfy the schema S. 

Since our context schema may contain alternatives, the function rm is defined 
via case-analysis covering all the possibilities, where we describe dropping all as¬ 
sumptions of a case using a dot, e.g., is_tm x i— 1 ■. For example: 

— rm x:A : S a t —t S ax = Ad.case d of is_tp ot h-> is_tp a | is_tm y\ y:A h-> is_tm y 

— i'mj s _ tm x ■ Sax -A S a = Ad.case d of is_tp a H > is_tp a | is_tm y i—> • 

Property 2 (Structural Properties of Declarations) 

1. Declaration Weakening: 


r,rm A (D),r'hJ 

r, d, r' b j 


d-wk 


2. Declaration Strengthening: 


r, D,r' b j 

r,rm A (D),r' h .7 


d-str\ 


with the proviso (f) that A is irrelevant to J and 
3. Declaration Exchange: 


r, D,T' \~ J 
Eperm n (D),r' b J 


d-exc 


The special case rm^A) drops A completely, since 


rm A = Ad.case d of A K> ■ | 


We treat P, •, r' as equivalent to P, P'. Hence, in the special case where we have 
r,rm A (A), r' , we obtain the well-known weakening and strengthening laws on 
contexts that are often stated as: 


P, A,T' h J 
P,P'hJ 


sfrf 


P,P'hJ 

p, A,r'\-j 


wk 


In contrast to the above, the general exchange property on blocks of declarations 
cannot be obtained “for free” from the above operations and we define it explicitly: 


Property 3 (Exchange) 


P,P>',P>,P' b J 

-:—:- exc 

P,P>,P>',P' b J 

with the proviso that the sub-context D, D' is well-formed. 


3 In practice, this may be done by maintaining a dependency call graph of all judgments. 
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Further, we state structural properties of contexts generically. To “strengthen” 
all declarations in a given context F, we simply write rm)i(F) using the * super¬ 
script. More generally, by /* with / £ {rm, 4 , perm^}, we mean the iteration of 
the operation / over a context. 


Property 4 (Structural Properties of Contexts) 

1. Contest weakening 

rm *A£) H J , 

n-j c ' wk 

2. Contest strenqtheninq 

r J c _ strj 
r m •AC) ^ J ^ 

with the proviso (f) that declarations that are instances of A are irrelevant to 

J. 


3. Contest exchange 


r h j 

Perm* (P) h J 


c-exc 


Finally, by rmu (resp. rm^), we mean the iteration of rm a (resp. rm\) for every 
A £ D, while keeping the resulting declaration and the overall context well-formed, 
e.g. rrnj s _ tm y . y: A(-) = rrn is _ tm y(rm y: A(-))- All the above properties are admissible 
with respect to those extended rm functions. 

The following examples illustrate some of the subtleties of this machinery: 

— F, rm^^is.tm y;y:A) = F, is_tm y. Bound variables in the annotation of rm 
can always be renamed so that they are consistent with the eigenvariables used 
in the declaration. 

— rm*_ tm ^(is.tm a:i,is_tp a, is_tp /3, is_tm X2) = is_tp a, is_tp j 3 . Here, the rm 
operation drops one of the alternatives in the schema S ax . 

— rm* :j4 (is_tm xi; #i:nat, is_tm X2; X2'- bool, is_tp a) = (is_tm xi, is_tm X2, is_tp a). 
The schematic variable A occurring in the annotation of rm will be instantiated 
with nat when strengthening the block is_tm xi; 2:1 mat and similarly with bool. 

— rm is_tm j/; y:AO s -tp i s -tp ft) = (is_tp a, is_tp ft). A rm operation may leave a 
context unchanged. 

We state next the substitution properties for assumptions. The parametric 
substitution property allows us to instantiate parameters, i.e., eigenvariables, in 
the context. For example, given is_tp a, is_tp f 3 h J and a type bool, we can 
obtain is_tp bool,is_tp f 3 h [bool/a] J by replacing a with bool. The hypothetical 
substitution property allows us to eliminate an atomic formula A that is part 
of a declaration D. For example, given is_tp bool, is_tp ft h J and evidence that 
is_tp bool, we can obtain is_tp 6 b J. In type theory the two substitution properties 
collapse into one. 

Property 5 (Substitution Properties) 

— Hypothetical Substitution: 

If Pi, (Pi; A; P2), P2 F J and Pi, Pi b A, then Pi, (Pi; P2), P2 h J provided 
that Pi; P2 is a well-formed declaration in Pi. 
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— Parametric Substitution: 

If ri,(Di;is-wf x;D-2),r2 I - J, then ri,(Di;[t/x\D2), [t/x]r2 b [t/x\J for 

any term t for which D\ b isjwf t holds. 

While parametric and hypothetical substitution do not preserve schema satis¬ 
faction by definition, we typically use them in such a way that contexts continue 
to satisfy a given schema. 

We close this section recalling that, although we concentrate in our benchmarks 
on describing object languages that satisfy structural properties usually associated 
with intuitionistic logic, we note that our terminology can be used to also charac¬ 
terize sub-structural object languages. In the case of a linear object language, we 
might choose to only use operations such as perm and omit operations such as rm 
so as to faithfully and adequately characterize the allowed context operations. 


2.4 The Polymorphic Lambda-Calculus Revisited 


In systems supporting HO AS, inference rules are usually expressed using an implicit- 
context representation as illustrated in Fig. [T] The need for explicit structured con¬ 
texts, as discussed in Sects. no and IQ arises when performing meta-reasoning 
about the judgments expressed by these inference rules. In order to make the link, 
we revisit the example from Sect. l2.il giving a presentation with explicit contexts, 
and then we make some preliminary remarks about context schemas and meta- 
reasoning. We will adopt the explicit-context representation of inference rules in 
the rest of the paper with the informal understanding of how to move between the 
implicit and explicit formulations. 


Well-formed Types 


is_tp «£f 
r b is_tp a 


tp v 


r b is_tp A r b is_tp B 
r b is_tp (arrA B) 


tpar 


r , is_tp a b is_tp A 

“ . ! ~ 7T .Pal 

r b is_tp (all a. A) 


Well-formed Terms 


is_tm x G r 
r b is_tm x 


tm v 


r, is_tm x b is_tm M 
r b is_tm (lam x. M ) 


tmi 


r, is_tp a b is_tm M 
r b is_tm (tlam a. M ) 


tm t i 


r b is_tm Mi r b is_tm M 2 , T b is_tm M bb is_tp A 

tm a . .x tlTlta 

r b is_tm (app Mi M2) r b is_tm (tapp M A) 

Typing for the Polymorphic A-Calculus 

x:B e r 


r\-x:B 


of v 


r, is_tp abM:B T b M : all «. B bb is_tp B 

of tl 7 7 7 7 7 of ta 


r b tlam a. M : all a. B 


r b (tapp M B) : [B/a]A 


r. is_tm x\ x:A b M : B 
bb lam x. M : arr A B 


ofi 


r b M : arr BA 


r b N : B 


r b (app M N) : A 


°f a 


In this formulation, and differently from the implicit one, we have a base case 
for variables. Here, to look up an assumption in a context, we simply write A G r, 
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meaning that there is some block D in context r such that A G D. For example 
x.B G r holds if r contains block is_tm x; x.B. We will also overload the notation 
and write D G r to indicate that r contains the entire block D. We recall the 
distinction between the comma used to separate blocks, and the semi-colon used to 
separate atoms within blocks, as seen in the o/ ( rule, for example. The assumption 
that all variables occurring in contexts are distinct from one another is silently 
preserved by the implicit proviso in rules that extend the context, where we rename 
the bound variable if already present. 

Note that we use a generic r for the context appearing in these rules, whereas 
the reader may have expected this to be, for example, P a t having schema S a t in 
the typing rules. In fact, we take a more liberal approach, where we pass to the 
rules any context that can be seen as a weakening of P a t ; in other words, any T 
such that there exists a D for which rmj, {r) = *c*. 

Suppose now, to fix ideas, that P a t b M : B holds. By convention, we implicitly 
assume that both B and M are well-formed, which means that P a t b is_tp B and 
Pat b is_tm M. In fact, we can define functions rm* :C and rm*_ tm x - x ,c, use them 
to define strengthened contexts P a x and P a , and apply the c-str rule to conclude 
the following: 

1 . Pax ■= rm * x:C (Pat), Pax has_schema Sax, and P ax b is_tm M; 

2. P a '■= rm*_ tm x - x: c(Pat), P a has_schema S a , and P a b is_tp B. 

2.5 Generalized Contexts vs. Context Relations 

As an alternative to using functions such as rm‘. c in item ( 1 ), we may adopt 
the more suggestive notation <P ax ~ Pat, using inference rules for the context 
relation corresponding to the graph of the function Ad.case d of is_tp a is_tp a \ 
is_tm x; x:C i —> is_tm x: 

Pax ^ Pat Pax r ^ J Pat 

■ ~ • (Pax, is-tp a) ~ (Pat, is_tp a) (Pax, is-tm x) ~ (Pat, is-tm x\ x:B) 

Similarly, an alternative to rmi*_ trn x . x: q in item (2) is the following context relation: 

_ Pa ~ Pat _ _ Pa ~ Pat _ 

: (P a , is-tp a) ~ (Pat, is_tp a) Pa ~ (P a t, is_tm x; x:B) 

The above two statements can now be restated using these relations. Given P a t, 
let Pax and P a be the unique contexts such that: 

1. Pax ~ Pat, Pax has_schema Sax, and P ax b is_tm M; 

2. P a ~ Pat, Pa has_schema S a , and P a b is_tp B. 

When stating and proving properties, we often relate two judgments to each 
other, where each one has its own contexts. For example, we may want to prove 
statements such as “if P a x b Ji then P a t b J 2 .” The question is how we achieve 
that. In the benchmarks in this paper, we consider two approaches: 

1. We reinterpret the statement in the smallest context that collects all relevant 
assumptions; we call this the generalized context approach (G). In this case, 
we reinterpret the above statement about J\ in a context containing additional 
assumptions about typing, which in this case is P a t, yielding: 
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“if $ a t b Ji then <P a t b J 2 ■” 

2. We state how two (or more) contexts are related ; we call this the context 
relations approach (R). Here, we define context relations such as those above 
and use them explicitly in the statements of theorems. In this case, we use 
&ax ~ $at yielding: 

“if &ax b Ji and <L> ax ~ <L at then & at b J 2 ” 

Note that here too we “minimize” the relations, in the sense of relating the 
smallest possible contexts where the relevant judgments make sense. 


2.6 Context Promotion and Linear Extension of Contexts and Schemas 

Another common idiom in meta-reasoning occurs when we have established a prop¬ 
erty for a particular context and we would like to use this property subsequently 
in a more general context. Assume that we have proven a lemma about types in 
context <P a of the form “if <P a b J\ then <P a b J 2 .” We now want to use this lemma 
in a proof about terms, that is where we have a context <P a x and <L> ax b Ji- We 
may need to promote this lemma, and prove: “if b J\ then <P ax b J 2 .” We 
will see several examples of such promotion lemmas in Sect. [3] 

Finally, to structure our subsequent discussion, it is useful to introduce some 
additional terminology regarding context relationships, where we use “relation¬ 
ship” in contrast to the more specific notion of “context relation.” 

— Linear extension of a declaration', a declaration D 2 is a linear extension of 
a declaration D 1 , if every atom in the declaration D\ is a member of the 
declaration Di- 

— Linear extension of a schema', a schema S 2 is a linear extension of a schema 
Si, if every declaration in Si is a linear extension of a declaration in S 2 ■ For 
example S a t is a linear extension of S a x- 

Given a context <P 1 of schema Si and a context <L >2 of schema S 2 where S 2 is 
a linear extension of Si, we say that <L >2 is a linear extension of <P 1 (i.e., linear 
context extension). Of course, sometimes declarations, schemas and contexts are 
not related linearly. For example, we may have a schema S 2 and a schema S 3 both 
of which are linear extensions of Si', however, S 2 is not a linear extension of S 3 
(or vice versa). In this case, we say S 2 and S 3 are non-linear extensions of each 
other and they share a most specific common fragment. 


3 Benchmarks 

In this section, we present several case studies establishing proofs of various prop¬ 
erties of the lambda-calculus. We have structured this section around the different 
shapes and properties of contexts, namely: 

1. Basic linear context extensions: We consider here contexts containing no al¬ 
ternatives. We refer to such contexts as basic. We discuss context membership 
and revisit structural properties such as weakening and strengthening. 

2. Linear context extensions with alternative declarations. 
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3. Non-linear context extensions: We consider more complex relationships be¬ 
tween contexts and discuss how our proofs involving weakening and strength¬ 
ening change. 

4. Order: We consider how the ordered structure of contexts impacts proofs rely¬ 
ing on exchange. 

5. Uniqueness: We consider here a case study which highlights how the issue of 
distinctness of all variable declarations in a context arises in proofs. 

6. Substitution: Finally, we exhibit the fundamental properties of hypothetical 
and parametric substitution. 

The benchmark problems are purposefully simple ; they are designed to be 
easily understood so that one can quickly appreciate the capabilities and trade¬ 
offs of the different systems in which they can be implemented. Yet we believe they 
are representative of the issues and problems arising when encoding formal systems 
and reasoning about them. We will subsequently discuss both the G approach and 
the R approach and comment on the trade-offs and differences in proofs depending 
on the chosen approach. 


3.1 Basic Linear Context Extension 

We concentrate in this section on contexts with simple schemas consisting of a 
single declaration. We aim to show the basic building blocks of reasoning over open 
terms: namely what a context looks like and the structure of an inductive proof. 
For the latter, we focus on the case analysis and, at the risk of being pedantic, the 
precise way in which the induction hypothesis is applied. 

We start with a very simple judgment: algorithmic equality fo r the unty ped 
lambda-calculus, written (aeq M N), also known as copy clauses fsee lMilleilll99lh . 
We say that two terms are algorithmically equal provided they have the same 
structure with respect to the constructors. 

Algorithmic Equality 

aeq x x 6 T F, is_tm x; aeq x x b aeq M N 

- ae v -- ae i 

r b aeq x x fh aeq (lam x. M ) (lam x. N) 

r h aeq M\ N\ fh aeq M2 IV2 
r b aeq (app Mi M2) (app N± N?) 

The context schemas needed for reasoning about this judgment are the following: 

Context Schemas S x '■= is_tm x 

S X a '■= is_tm x; aeq x x 

where a context <P xa satisfying S xa is the smallest possible context in which such 
an equality judgment can hold. Thus, as discussed in the previous section, when 
writing judgment <£> xa b aeq M N, we assume that <P xa b is_tm M and <P xa b 
is_tm N hold, and thus also <P X b is_tm M and <P X b is_tm N hold by employing an 
implicit c-str (using rm a * eq x x ). We note that both contexts <P X and <P xa are simple 
contexts consisting of one declaration block. Moreover, S x is a sub-schema of S xa 
and therefore the context <P xa is a linear extension of the context <P X . 
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In view of the pedagogical nature of this subsection and also of the content 
of Sect. 13.31 which will build on this example, we start with a straightforward 
property: algorithmic equality is reflexive. This property should follow by induction 
on M (via the well-formed term judgment, which is not shown, but uses the obvious 
subset of the rules in Sect. 12.41) . However, the question of which contexts the two 
judgments should be stated in arises immediately; recall that we want to prove “if 
r± b is_tm M then A b aeq M M.” A should be a context satisfying S xa since the 
definition of this schema came directly from the inference rules of this judgment. 
The form that A should take is less clear. The main requirement comes from the 
base case, where we must know that for every assumption is_tm x in A there 
exists a corresponding assumption aeq a: a; in A- The answer differs depending on 
whether we choose the R approach or the G approach. We discuss each in turn 
below. 


3.1.1 Context Relations, R Version 


The relation needed here is A ~ Aa, defined as follows: 
Context Relation 




crel e 


_A ~ A a _ 

A, is_tm x ~ Aa, is_tm x\ aeq x x 


crelxa 


Note that is_tm x will occur in A in sync with an assumption block containing 
is_tm x\ aeq a: a: in Aa- This is a property which needs to be established separately, 
so at the risk of redundancy, we state it as a “member” lemma. 

Lemma 6 (Context Membership) A ~ A a implies that is_tm x e A iff 
is_tm x; aeq x x € A a- 


Proof By induction on A ~ A a- 

Theorem 7 (Admissibility of Reffexivity, R Version) Assume A ~ A a- 
If A b is_tm M then Aa b aeq M M. 


Proof By induction on the derivation T> :: A b is_tm M. 
Case: 


is_tm x G A 

D = - tm v 


A b is_tm x 


is_tm x G A 

is_tm x ; aeq x x G A a 

Aa b aeq x x 


by rule premise 
by Lemma [6] 
by rule ae v 


Case: 


D 1 V 2 

A b is_tm Mi A b is_tm M2 

T> = - tm a 

A b is_tm (app Mi M2) 


A b is_tm Mi 
Aa b aeq Mi Mi 
A b is_tm M2 


sub-derivation T>\ 
by IH 

sub-derivation T >2 
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<P xa 1 - aeq Ah M2 

<P xa b aeq (app Mi Ah) (app Mi M2) 

by IH 

by rule ae a 

Case: 

V 

<P X , is_tm x b is_tm M 

V = - tmi 

<P X b is_tm (lama:. M) 


<P X , is_tm x b is_tm M 

is_tm x) ~ (<P X a, is_tm x; aeq a: x) 
is_tm x; aeq x x b aeq M M 
<P xa b aeq (lam x. M ) (lam x. M ) 

sub-derivation V' 
by assumption 
by rule crel xa 
by IH 
by rule aei. 

5 .i .,2 Generalized Contexts, G Version 


In this example, since S xa includes all assumptions in S x , 
schema of our generalized context. 

S xa will serve as the 

Theorem 8 (Admissibility of Reflexivity, G Version) If <P xa b is_tm M 
then <P xa b aeq M M. 

Proof By induction on the derivation T> :: <P xa b is_tm M. 
Case: 

is_tm x G 

= - tm v 

<P xa b is_tm x 


is_tm x G <P xa 

<P xa contains block (is_tm x;aeq x x) 

<P xa h aeq x x 

by rule premise 
by definition of S xa 
by rule ae v 

Case: 

2?i T> 2 

h is_tm Mi b is_tm M2 

V — 


& xa b is_tm (app Mi M 2 ) 


b aeq Mi Mi 
b aeq M 2 M 2 

b aeq (app Mi M2) (app Mi M2) 

by IH on V 1 
by IH on V 2 
by rule ae a 

Case: 

V 

$ 10 , is_tm x b is_tm M 

V =- tmi 

<P xa b is_tm (lamx.M) 


is_tm x; aeq x x b is_tm M 
<P xa , is_tm x; aeq x x b aeq M M 
<P xa b aeq (lam x. M) (lam x. M) 

by d-wk on T>' 
by IH 
by rule ae; 
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Note that the application cases of Theorems [7] and [8] are the same except for the 
context used for the well-formed term judgment. The lambda case here, on the 
other hand, requires an additional weakening step. In particular, d-wk is used to 
add an atom to form the declaration needed for schema S xa ■ The context before 
applying weakening does not satisfy this schema, and the induction hypothesis 
cannot be applied until it does. 

We end this subsection, stating the remaining properties needed to establish 
that algorithmic equality is indeed a congruence, which we will prove in Sect. 1331 
Since the proof involves only the two approaches (R & G) collapse. 

Lemma 9 (Context Inversion) If aeq M N £ <P xa then M = N. 

Proof Induction on aeq M N £ I> xa - 

Theorem 10 (Admissibility of Symmetry and Transitivity) 

1. If (lx a b aeq M N then <P xa b aeq N M. 

2. If b aeq M L and $i 0 b aeq L N then <P xa b aeq M N. 

Proof Induction on the given derivation using Lemma [9] in the variable case. 


3.2 Linear Context Extensions with Alternative Declarations 

We extend our algorithmic equality case study to the polymorphic lambda-calculus, 
highlighting the situation where judgments induce context schemas with alterna¬ 
tives. We accordingly add the judgment for type equality , atp A B , noting that 
the latter can be defined independently of term equality. In other words aeq M N 
depends on atp A B , but not vice-versa. In addition to S a and S a x introduced in 
Sect. [2] the following new context schemas are also used here: 

Satp := is_tp a; atp a a 

Saeq ■= is_tp a; atp a a + is_tm x; aeq x x 

The rules for the two equality judgments extend those given in Sect. 13.11 The 
additional rules are stated below. 

Algorithmic Equality for the Polymorphic Lambda-Calculus 


B is_tp a: atp a a b aeq M N 

------- ae t i 

r b aeq (tlam a. M) (tlam a. N) 

r b aeq M N T b atp A B 

- 2 -- ae ta 

r b aeq (tapp M A) (tapp N B) 

atp a a £ T 
Tn I 7 at a 

1 h atp a a 

r, is_tp a; atp a a b atp A B r b atp Ai Bi T b atp Ai B 2 

r b atp (all a. A) (all a. B) al T b atp (arrAi A 2 ) (arrBi B 2 ) a 

We show again the admissibility of reflexivity. We start with the G version this 
time. 
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3.2.1 G Version 


We first state and prove the admissibility of reflexivity for types, which we then use 
in the proof of admissibility of reflexivity for terms. The schema for the generalized 
context for the former is Satp since the statement and proof do not depend on terms. 
The schema for the latter is Saeq- 

Theorem 11 (Admissibility of Reflexivity for Types, G Version) 

If &ahp b is_tp A then <I>atp b atp A A. 

The proof is exactly the same as the proof of Theorem [8] modulo replacing app 
and lam with arr and all, respectively, and using the corresponding rules. 

As we have already mentioned in Sect. [2J it is often the case that we need 
to appeal to a lemma in a context that is different from the context where it 
was proved. A concrete example is the above lemma, which is stated in context 
•Iatp, but is needed in the proof of the next theorem in the larger context ^oaj. To 
illustrate, we state and prove the necessary promotion lemma here. 

Lemma 12 (G-Promotion for Type Reflexivity) 

If <Iaeq b is_tp A then tlaeq b atp A A. 


Proof 

<Paeq b is_tp A 
thatp b is_tp A 
<Patp b atp A A 
<Paeq b atp A A 


by assumption 
by c-str 
by TheoremII II 
by c-wk 


In general, proofs of promotion lemmas require applications of c-str and c-wk 
which perform a uniform modification to an entire context. In contrast, the ab¬ 
straction cases in proofs such as the lambda case of Theorem[8]require d-wk to add 
atoms to a single declaration. The particular function used here is rm*_ tm x . aeq x x , 
which drops an entire alternative from <l>aeq to obtain <Patp and leaves the other 
alternative unchanged. The combinatio n of c-str an d c-wk in proofs of promotion 
lemmas is related to subsumption (see lHarper and Licatai 120071) . 

Note that we could omit Theorem [Tl] and instead prove Lemma [12] directly, 
removing the need for a promotion lemma. For modularity purposes, we adopt 
the approach that we state each theorem in the smallest possible context in which 
it is valid. This particular lemma, for example, will be needed in an even bigger 
context than <Paeq in Sect. 13.31 In general, we do not want the choice of context in 
the statement of a lemma to depend on later theorems whose proofs require this 
lemma. Instead, we choose the smallest context and state and prove promotion 
lemmas where needed. 

Theorem 13 (Admissibility of Reflexivity for Terms, G Version) 

If^aeq b is_tm M then (Paeq b aeq M M. 

Proof Again, the proof is by induction on the given well-formed term derivation, 
in this case V :: <I>aeq b is_tm M, and is similar to the proof of Theorem[8] We show 
the case for application of terms to types. 
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Case: 


Vi 

<Paeq b is_tm M 


V 2 

<Paeq b IS-tp A 


V = 


<Paeq b is_tm (tapp M A) 


<Paeq b aeq M A 1 
L^ b atp A A 

<Paeq b aeq (tapp M A) (tapp M A) 


by Lemma [12] on conclusion of V 2 
by rule aeta 


by IH on T>\ 


3.2.2 R Version 

We introduce four context relations L a ~ 'l’atp, L ax ~ Laeq , ~ and 

<Paeq ~ ‘I’atp- We define the first two as follows (where we omit the inference rules 
for the base cases). 

Context Relations 



L a x ~ 


$ ra , is_tm a: ~ 'foaj, is_tm x; aeq x x Lax, is_tp a ~ ^oaj, is_tp a; atp a a 

Note that L ax ~ is the extension of L x ~ $ IO with one additional case for 
equality for typesQ We also omit the (obvious) inference rules defining L a x ~ La 
and ‘Raeq ~ <Patp, and instead note that they correspond to the graphs of the 
following two functions, respectively, which simply remove one of the two schema 
alternatives: 

rm *_ tm x = Ad.case d of is_tp a i —> is_tp a | is_tm x i —> ■ 

rm is_tm a,;aeq x x = Ad.case d of is_tp a ; atp a a H> is_tp or, atp a a | is_tm x; aeq x x H> ■ 

We start with the theorem for types again, whose proof is similar to the R 
version of the previous example (Theorem [7]) and is therefore omitted. 

Theorem 14 (Admissibility of Refiexivity for Types, R Version) 

Let L a ~ Latp. If ‘La b is_tp A then Latp b atp A A. 

Lemma 15 (Relational Strengthening) LetL ax ~ Laeq- Then there exist con¬ 
texts La and Latp such that L a x ~ L a , Loeq ~ Latp, and L a ~ Latp- 

Proof By induction on the given derivation of L ax ~ Laeq- 

We again need a promotion lemma, this time involving the context relation. 

Lemma 16 (R-Promotion for Type Refiexivity) 

Let Lax ~ Loeq. If Lax b is_tp A then Loeq b atp A A. 

4 Again, we remark on our policy to use the smallest contexts possible for modularity reasons. 
Otherwise, we could have omitted the L a ~ Latp relation, and stated the next theorem using 


Lax ~ Laaq. 
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Proof 

Pax b is-tp A 
P a b is_tp A 

Pax ^ Paeq 
P a ~ & atp 

Patp b atp A A 
Paeq b atp A A 


by assumption 
by c-str 
by assumption 
by relational strengthening lLemma ll5l) 
by Theorem 1141 
by c-wk 


Theorem 17 (Admissibility of Reflexivity for Terms, R Version) 

Let <P a x ~ Paeq . If ‘Lax b is_tm M then Paeq b aeq M M. 


Proof Again, the proof is by induction on the given derivation. Most cases are sim¬ 
ilar to the analogous cases in the proof of the R version for the monomorphic case 
(Theorem [7]) and the G version for types in the polymorphic case (Theorem 1111) . 
We show again the case for application of terms to types to compare with the G 
version. 


Case: 


£>i 

<P ax b is_tm M 


V'2 

Pax b is_tp A 


V = 


P ax b is_tm (tapp M A) 


Pax ~ Paeq 


by assumption 
sub-derivation T>i 


'Pax b is_tm M 
Paeq b aeq M M 


by IH 


Pax b is_tp A 
Paeq b is_tp A 


sub-derivation T >2 


by Lemma 1161 
by rule aeta 


Paeq b aeq (tapp M A ) (tapp M A) 


3.3 Non-Linear Context Extensions 


We return to the untyped lambda-calculus of Sect. 13.11 and establish the equiva¬ 
lence between the algorithmic definition of equality defined previously, and declara¬ 
tive equality P x d b deq M N, which includes reflexivity, symmetry and transitivity 
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in addition to the congruence rules0 


Declarative Equality 


deq x x 6 E 
E b deq x x 


de v 


E. is_tm x; deq x x h deq M N 
E H deq (lam x. M) (lam x. N) 


dei 


E I- deq Mi Ni Eh deq M 2 N 2 
E h deq (app M\ M 2 ) (app Ni N 2 ) 


E h deq M M 


da t 


E h deq M L E h deq L N 
EhdeqMiV 


de t 


E h deq N M 
E h deq M N 


Context Schema S x( i ::= is_tm x; deq x x 

We now investigate the interesting part of the equivalence, namely that when 
we have a proof of (deq M N) then we also have a proof of (aeq M N). We show 
the G version first. 


3.3.1 G Version 

Here, a generalized context must combine the atoms of <P xa and <P x d into one 
declaration: 

Generalized Context Schema Sda '■= is_tm x; deq x x; aeq x x 

The following lemma promotes Theorems [8] and [TO] to the “bigger” generalized 
context. 

Lemma 18 (G-Promotion for Reflexivity, Symmetry, and Transitivity) 

1. If <Pda I - is_tm M, then Pda I - aeq M M . 

2. If dtda I - aeq M N, then <I>da ^ aeq N M. 

3. If <Pda b aeq M L and <Pda b aeq L N, then <Pda b aeq M N. 

Proof Similar to the proof of Theoremll2l where the application of c-str transforms 
a context 'Pda to <P xa by considering each block of the form (is_tm x; deq x x; aeq x x) 
and removing (deq x x). 

Theorem 19 (Completeness, G Version) 

If 'Pda k deq M N then <Pd a b aeq M N. 

Proof By induction on the derivation V :: <Pda b deq M N. We only show some 
cases. 

Case: 

T> =- de r 

P da k deq M M 

Pda k is_tm M by (implicit) assumption 

<Pda k aeq M M by Lemma fTHl ( ll 


5 We acknowledge that this definition of declarative equality has a degree of redundancy: the 
assumption deq x x in rule dei is not needed, since rule de r plays the variable role. However, 
it yields an interesting generalized context schema, which exhibits issues that would otherwise 
require more complex case studies. 
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Case: 


V = 


T>i T> 2 

P da h deq ML P da b deq L N 


P da h deq M N 


de t 


P da b aeq M L and 'Pda b aeq L N by IH on T> i and T> 2 

P da b aeq M N by Lemma fT 8 l (3) 


Case: 


V 

P da , is_tm x; deq x x h deq M N 

V =- dei 

P da b deq (lam x. M ) (lam x. N) 


Pda, is_tm x\ deq x x ; aeq x x b deq M N 
P da , is_tm x\ deq x x\ aeq x x b aeq M N 
Pda, is_tm x\ aeq x x h aeq M N 
P da b aeq (lam x. M) (lam x. N ) 


by d-wk on T>' 
by IH 
by d-str 
by rule aei 


The symmetry case is not shown, but also requires promotion, via Lemma H51C2L 
Note that the dei case requires both d-str and d-wk. I 11 contrast, the binder cases 
for the G versions of the previous examples (Theorems [Sj 111! and 1131) required 
only d-wk. The need for both arises from the fact that the generalized context is 
a non-linear extension of two contexts, i.e., it is not the same as either one of the 
two contexts it combines. 


3.3.2 R Version 

The context relation required here is P xa ~ Pxd- 

Context Relation 

Pxa ~ Pxd. . 

— -:- — -:-;- Crel ad 

Pxa, is_tm x\ aeq x x ~ P x d, is_tm x; deq x x 

As in Sect. 13.21 we need the appropriate promotion lemma, which again requires 
a relation strengthening lemma: 

Lemma 20 (Relational Strengthening) Let P xa ~ P x d- Then there exists a 
context P x such that P x ~ P X a- 

Lemma 21 (R-Promotion for Reflexivity) Let P xa ~ P xd ■ If Pxd b is_tm M 

then Pxa b aeq M M. 

The proofs are analogous to Lemmas [T3] and 1161 with the proof of Lemma Eli 
requiring Lemma l20l 

Theorem 22 (Completeness, R Version) Let P xa ~ P xd - If Pxd b deq M N 

then P xa b aeq M N. 
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Proof By induction on the derivation T> :: <P xd b deq M N. 
Case: 


V = - de r 

&xd 1 “ deq M M 


<P xd b is_tm M by (implicit) assumption 

$ IO h aeq M M by Theorem 1211 


Case: 


D = ■ 


Vi 

<P xd b deq M L 


V 2 

<P xd b deq L N 


<P xa b aeq M L and ( P X 
<P xa b aeq M N 


<P xd b deq M N 
b aeq L N 


■ det 

by IH on V\ and V- 2 
by Theorem 1 101 121 


Case: 


V 

<I xd , is_tm x; deq x x b deq M N 

V = - dei 

d> xd b deq (lam x. M ) (lam x. N) 


&XO. ~ &XCL 

<P xa , is_tm x\ aeq ^>x d , is_tm x\ deq x x 

<P xa , is_tm x; aeq x x h aeq M N 
<Pxa b aeq (lam x. M ) (lam x. N) 


by assumption 
by rule crel ad 
by IH on V 
by rule aei 


Only one promotion lemma is required in this proof, for the reflexivity case (which 
requires one occurrence each of c-str and c-wk), and no strengthening or weakening 
is needed in the lambda case (thus no occurrences of d-str/wk in this proof). In 
contrast, the proof of the G version of this theorem (Theorem 1 191) uses 3 occur¬ 
rences of each of c-str and c-wk via promotion Lemma ll8l and one occurrence each 
of d-str and d-vik in the lambda case. 


3.4 Order 

A consequence of viewing contexts as sequences is that order comes into play, and 
therefore the need to consider exchanging the elements of a context. This happens 
when, for example, a judgment singles out a particular occurrence of an assumption 
in head position. We exemplify this with a “parallel” substitution property for 
algorithmic equality, stated below. The proof also involves some slightly more 
sophisticated reasoning about names in the variable case than previously observed. 
Furthermore, note that this substitution property does not “come for free” in a 
HOAS encoding in the way, for example, that type substitution (Lemma l25l) does. 


Theorem 23 (Pairwise Substitution) If <P xa , is_tm x; aeq x x b aeq M\ M 2 

and <P xa b aeq N± N 2 , then d> xa b aeq {[N\/x]Mi) ([N 2 /x]M 2 ). 
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Proof By induction on the derivation V :: <P X a, is_tm x ; aeq x x b aeq M\ M 2 and 
inversion on h aeq N\ N 2 - We show two cases. 

Case: 

aeq y y E <Pxa, is_tm x\ aeq x x 

V =- ae v 

$ xa , is_tm x\ aeq x x h aeq y y 

We need to establish <d> xa b aeq ([Ni/x]y) ([ N 2 /x]y ). 

Sub-case: y = x: Applying the substitution to the above judgment, we need to 
show $ xa b aeq N\ N 2 , which we have. 

Sub-case: aeq y y £ for y ^ x. Applying the substitution in this case gives us 
<P X a b aeq y y , which we have by assumption. 

Case: 

V 

<P X a, is_tm x; aeq x x, is_tm y\ aeq y y b aeq M\ M 2 

T> =- dei 

<P X a, is_tm x; aeq x x b aeq (lam y. Mi) (lam y. M 2 ) 

<P xa , is_tm y\ aeq y y, is_tm x; aeq x x h aeq Mi M 2 by exc on T>' 

<P xa b aeq N\ N 2 , by assumption 

<P xa , is_tm y ; aeq y y b aeq Ni N 2 by d-wk 

&xa, is-tm y, aeq y y b aeq ([JVi/a;]Mi) ([N 2 /x]M 2 ) by IH 

<P xa b aeq [Ni/x](\amy. M±) [N 2 /x](\amy.M 2 ) by rule aei and possible renaming. 


We remark that there are more general ways to formulate properties such as 
Theorem 1231 that do not require (on paper) exchange; for example, 

If is_tm a:; aeq x x,<d>' xa b aeq Mi M 2 and <P xa b aeq iVi N 2 , then 
$xa,Ka b aeq ([JVi/®]Mi) ([N 2 /x]M 2 ). 


The proof of the latter statement has a similar structure to the previous one, 
except that it uses d-wk in the first variable sub-case, while the binding case does 
not employ any structural property to apply the induction hypothesis, by taking 
( f&xai is-tm y ; aeq y y) as & xa - While this works well in a paper and pencil style, 
it is much harder to mechanize, since it brings in reasoning about appending and 
splitting lists that are foreign to the matter at hand. 

We conclude by noting that there are examples where exchange cannot be ap¬ 
plied, since the dependency proviso is not satisfied. Cases in point are substitution 
lemmas for depen d ent t ypes. Here, other encoding techniques must be used, as 
explored in lCrar 3 d2009ll . 


3.5 Uniqueness 

Uniqueness of context variables plays an unsurprisingly important role in prov¬ 
ing type uniqueness, i.e. every lambda-term has a unique type. For the sake of 
this discussion it is enough to consider the monomorphic case, where abstractions 
include type annotations on bound variables, and types consist only of a ground 
type and a function arrow. 

Terms M • y \ lama : A . M \ app Mi M 2 
Types A ::= i | arr AB 
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The typing rules are the obvious subset of the ones presented in Sect. [2j yielding: 
Context Schema St := is_tm x;x:A 

The statement of the theorem requires only a single context and thus there is no 
distinction to be made between the R and G versions. 

Theorem 24 (Type Uniqueness) If ^ h M : A and <P t \~ M : B then A = B. 

Proof The proof is by induction on the first derivation and inversion on the second. 
We show only the variable case where uniqueness plays a central role. 

Case: 

x:A e 4>t f 

£> =- of v 

<Pt b x : A 

We know that x\A E <P t by rule of v . By definition, <P t contains block (is_tm x; x\A). 
Moreover, we know <Pt H x : B by assumption. By inversion using rule of v , we 
know that x:B E 'Pt, which means that <Pt contains block (is_tm x;x:B). Since all 
assumptions about x occur uniquely, these must be the same block. Thus A must 
be identical to B. 


3.6 Substitution 


In this section we address the interaction of the substitution property with con¬ 
text reasoning. It is well known and rightly advertised that substitution lemmas 
come “for free” in HOAS encodings, since sub stituti vity is jus t a by-product of 
hypothetical-parametric judgments. We refer to IPfennind ( 200ill for more details. 
A classic example is the proof of type preservation for a functional programming 
language, where a lemma stating that substitution preserves typing is required 
in every case that involves a /3-reduction. However, this example theorem is un¬ 
duly restrictive since functional programs are closed expressions; in fact, the proof 
proceeds by induction on (closed) evaluation and inversion on typing, hence only 
addressing contexts in a marginal way. We thus discuss a similar proof for an 
evaluation relation that “goes under a lambda” and we choose parallel reduction, 
as it is a standard relation also used in other important case studies such as the 
Church-Rosser theorem. The context schema and relevant rules are below. 


Parallel Reduction 


x - 


x E r 


r i- X X 


-pr v 


r, is_tm x; x x h M A 

r h lam x. M ^ lam x. N 


■pri 


r, is_tm x; x x h M M' T h N N r 
- P r /3 

r h (app (lam x. A I) N) [A^ , /x]M / 

r h M M' r\-N^N' 
- pr a 

r h (app M N ) (app M' N r ) 

Context Schema S r ■= is_tm x; x ^ x 


The relevant substitution lemma is: 
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Lemma 25 If'&t, is_tm x;x:A b M : B and <Pt b N : A, then b [N/x]M : B. 

Proof While this is usually proved by induction on the first derivation, we show 
it as a corollary of the substitution principles. 

<Pt, is_tm x; x:A b M ■. B by assumption 

is_tm N;N:A b [N/x]M : B by parametric substitution 

$t, is_tm N b [N/x]M : B by hypothetical substitution 

<Pt b is_tm N by (implicit) assumption 

<Pt b [N/x\M : B by hypothetical substitution 


We show only the R version of type preservation. For the G version, the context 
schema is obtained by combining the schemas S r and St similarly to how Sda was 
defined to combine S xa and S x d in Sect. l3.3TIl We leave it to the reader to complete 
such a proof. For the R version, we introduce the customary context relation, which 
in this case is: 


<P r r^i (p t 

<P r , is_tm x; x x ~ $t, is_tm x; x:A 


crelrt 


Theorem 26 (Type Preservation for Parallel Reduction) Assume <P r ~ <P t . 
If<Pr\-M^>Nand<Pt\-M:A, then <P t \~ N : A. 


Proof The proof is by induction on the derivation T> :: <P r b M N and inversion 
on <P t b M : A. We show only two cases: 


Case: 


x ^ x £ <P r 
V = - pr v 

<P r b x x 

We know that in this case M = x = N. Then the result follows trivially. 


Case: 


Vi V 2 

d> r , is_tm x; x -v> i b Af M' <P r b TV N' 


V = ■ 


<P r b (app (lam x. M ) N) [iV , /x]A^ , 


-PI"/3 


<P t b (app (lam x. M ) N) : A 

<P t b (lam x. M ) : arrB A and <P t b N : B 

<P t b N' : B 

<Pt, is_tm x; x:B b M \ A 
<p> r ~ <p t 

(d> r , is_tm x; x x) ~ (d> t , is_tm x; x:B) 
<Pt , is_tm x; x:B b M' : A 
b [N'/x]M' : A 


by assumption 
by inversion on rule of a 
by IH on T >2 and the latter 
by inversion on rule o/ ( 
by assumption 
by rule crel r t 
by IH 

by Lemma 1251 fsubstitution! 


If we were to prove a similar result for the polymorphic A-calculus, we would 
need another substitution lemma, namely: 

Lemma 27 If ^ Q t,is_tp a b M : B and <I> a t b is_tp A, then 
$ at b [A/a]M : [A/a]B. 

Again, this follows immediately from parametric and hypothetical substitution, 
whereas a direct inductive proof may not be completely trivial to mechanize. 
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4 The ORBI Specification Language 


ORBI (Open challenge problem Repository for systems supporting reasoning with 
Binders') is an open repository for sharing benchmark problems based on the nota¬ 
tion we have developed. ORBI is designed to be a human-readable, easily machine- 
parsable, uniform, yet flexible and extensible language for writing specifications 
of formal systems including grammar, inference rules, contexts and theorems. The 
language directly upholds HOAS representations and is oriented to support the 
mechanization of the benchmark problems in Twelf, Beluga, Abella, and Hybrid, 
without hopefully precluding other existing or future HOAS systems. At the same 
time, we hope it also is amenable to translations to systems using other represen¬ 
tation techniques such as nominal systems. 

The desire for ORBI to cater to both type and proof theoretic frameworks 
requires an almost impossible balancing act between the two views. While all the 
systems we plan to target are essentially two-level, they di ffer substanti ally, as 
we will see in much more detail in the companion paper ( Feltv et ~al 120151) . For 
example, contexts are first-class and part of the specification language in Beluga; 
in Twelf, schemas for contexts are part of the specification language, which is an 
extension of LF, but users cannot explicitly quantify over contexts and manipulate 
them as first-class objects; in Abella and Hybrid, contexts are (pre)defined using 
inductive definitions on the reasoning level. 

We structure the language in two parts: 

the problem description, which includes the grammar of the object language 
syntax, inference rules, context schemas and context relations; 
the logic language, which includes syntax for expressing theorems and directives 
to ORBI2X0 tools. 


1 . 


2 . 


We consider the notation that we present here as a first attempt at defining 
ORBI (Version 0.1), where the goal is to cover the benchmarks considered in this 
paper. As new benchmarks are added, we are well aware that we will need to 
improve the syntax and increase the expressive power—we discuss limitations and 
some possible extensions in Sect. [6] 


4.1 Problem Description 

ORBI’s language for defining the grammar of an object language together with in¬ 
ference rules is based on the logical framework LF; pragmatically, we have adopted 
the concrete syntax of LF specifications in Beluga which is almost identical to 
Twelf’s. The advantage is that specifications can be directly type checked by Bel¬ 
uga thereby eliminating many syntactically correct but meaningless expressions. 

Object languages are written according to the EBNF (Extended Backus-Naur 
Form) grammar in Fig. [5] which uses certain conventions: {a} means repeat a pro¬ 
duction zero or more times, and comments in the grammar are enclosed between (* 
and *). The token id refers to identifiers starting with a lower or upper case letter. 
These grammar rules are basically the standard ones used both in Twelf and Beluga 

6 Following TPTP’s nomenclature llSutcliffel . '20091. we call “ORBI2X” any tool taking an 
ORBI specification as input; for example, the translator for Hybrid mentioned earlier translates 
syntax, inference rules, and context definitions of ORBI into input to the Coq version of Hybrid, 
and is designed so that it can be adapted fairly directly to output Abella scripts. 
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sig 

::= {decl 

(* 

declaration *) 


1 s_decl} 

(* 

schema declaration *) 

decl 

::= id ":" tp "." 

(* 

constant declaration *) 


1 id ":" kind "." 

(* 

type declaration *) 

op_arrow 


(* 

A <- B same as B -> A *) 

kind 

::= type 

1 tp op_arrow kind 

(* 

A -> K *) 


1 "{" id tp kind 

(* 

Pi x: A.K *) 

tp 

::= id {term} 

(* 

a Ml ... M2 *) 


1 tp op_arrow tp 

1 "{" id tp tp 

(* 

Pi x: A.B *) 

term 

: : = id 

(* 

constants, variables *) 


1 "\" id term 

(* 

lambda x. M *) 


1 term term 

(* 

M N *) 


s_decl 

::= schema s. 

_id 

alt_blk 

s_id 

: := id 



alt_blk 

::= blk {"+" 

blk} 


blk 

::= block id 

" : " tp 

{";" id 


Fig. 2 ORBI Grammar for Syntax, Judgments, Inference Rules, and Context Schemas 


and we do not discuss them in detail here. We only note that while the presented 
grammar permits general dependent types up to level n, ORBI specifications will 
only use level 0 and level 1. Intuitively, specifications at level 0 define the syntax 
of a given object language, while specifications at level 1 (i.e. type families which 
are indexed by terms of level 0) describe the judgments and rules for a given OL. 
We exemplify the grammar relative to the example of algorithmic vs. declarative 
equality used in Subsections 13.1113.31 and 13.41 The full ORBI specification is given 
in Appendix[Bj and all examples described in this section are taken from that spec¬ 
ification. For the r emaining ex ample specifications, we refer the reader to the the 
companion paper ( Feltv et all l2015h or to https://github.com/pientka/ORBI 
To assist compact translations to systems that do not include the LF lan¬ 
guage, we also support directives written as comments of a special form, i.e., they 
are prefixed by 7, and ignored by the LF type checker. For example, we provide 
directives that allow us to distinguish between the syntax definition of an object 
language and the definition of its judgments and inference rules. (See AppendixlBll 
Directives, including their grammar, are detailed in Sect. 14.21 


Syntax An ORBI file starts in the Syntax section with the declaration of the 
constants used to encode the syntax of the OL in question, here untyped lambda- 
terms, which are introduced with the declaration tm:type. This declaration along 
with those of the constructors app and lam in the Syntax section fully specify 
the syntax of OL terms. We represent binders in the OL using binders in the 
IIOAS meta-language. Hence the constructor lam takes in a function of type 
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tm -> tm. For example, the OL term (lam x. lam y. app x y) is represented as 
lam (\x. lam (\y. app x y)), where “\” is the binder of the metalanguage. 
Bound variables found in the object language are not explicitly represented in 
the meta-language. 

Judgments and Rules These are introduced as LF type families (predicates) in 
the Judgments section followed by object-level inference rules for these judgments 
in the Rules section^ In our running example, we have two judgments, aeq and 
deq of type tm -> tm -> type. Consider first the inference rule for algorithmic 
equality for application, where the ORBI text is a straightforward encoding of the 
rule: 

ae_a: aeq Ml N1 -> aeq M2 N2 aeq M\ Ni aeq M 2 N 2 ^ 

-> aeq (app Ml M2) (app Nl N2) . aeq (app Mi M 2 ) (app IVi N 2 ) 

Uppercase letters such as Ml denote schematic variables, which are implicitly quan¬ 
tified at the outermost level, namely {Ml:tm}, as commonly done for readability 
purposes in Twelf and Beluga. 

The binder case is more interesting: 


- X 

is_tm x 


aeq x x 


ae v 


ae_l: ({x:tm} aeq x x -> aeq (M x) (N x)) 
-> aeq (lam (\x. M x)) (lam (\x. N x)). 


aeq M N 

n x.ae 

- ae, 

aeq (lama:. M) (lam a;. IV) 1 

We view the is_tm x assumption as the parametric assumption x:tm, while the 
hypothesis aeq x x (and its scoping) is encoded within the embedded implication 
aeq x x — > aeq (M x) (N x) in the current (informal) signature augmented with 
the dynamic declaration for x0 Recall that the “variable” case of an implicit- 
context presentation, namely ae v , is folded inside the binder case. 


Schemas A schema declaration s_decl is introduced using the keyword schema. 
A blk consists of one or more declarations and alt_blk describes alternating 
schemas. For example, schema S xa in Sect. 13.1.21 appears in the Schemas section 
of Appendix [Bias: 

schema xaG: block (x:tm; u:aeq x x). 

As another example, in this case illustrating a schema sporting alternatives, we 
encode the schema Soeq from polymorphic equality as: 

schema aeqG: block (a:tp; u:atp a a) + block (x:tm; v:aeq x x). 

While we can type-check the schema definitions using an extension of the LF 
type checker (as implemented in Beluga), we do not verify that the given schema 
definition is meaningful with respect to the specification of the syntax and inference 
rules; in other words, we do not perform “world checking” in Twelf lingo. 

7 There are several excellent tutorials dPfennind . F2Q01: Ha rper and Li cata. 2007) on how to 
encode OLs in LF, and hence we keep it brief. 

8 As is well known, parametric assumptions and embedded implication are unified in the 
type-theoretic view. 
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Definitions So far we have considered the specification language for encoding for¬ 
mal systems. ORBI also supports declaring inductive definitions for specifying 
context relations and theorems. We start with the grammar for inductive defini¬ 
tion (Fig. [3]). An inductive predicate is given a r_kind by the production def_dec. 
Although we plan to provide syntax for specifying more general inductive defini¬ 
tions, in this version of ORBI we only define context relations inductively, that is 
n-ary predicates between contexts of a given schema. Hence the base predicate is 
of the form id {ctx} relating different contexts. 


def_dec 

::= "inductive 

" id r_kind "=" 

r_kind 

::= "prop" 



1 id 

s_id r_kind 

def_body : 

::= id ":" 

def_prp {def_body} 

def_prp 

::= id {ctx} 



1 def_prp 

>" def_prp 

ctx 

::= nil I id I 

ctx blk 


Fig. 3 ORBI Grammar for Inductive Definitions describing Context Relations 


For example, the relation <P X ~ <T xa is encoded in the Definitions section of 
Appendix [Bias: 

inductive xaR : {G:xG} {H:xaG} prop = 

I xa_nil: xaR nil nil 

I xa_cons: xaR G H -> xaR (G, block x:tm) (H, block x:tm; u:aeq x x). 

This kind of relation can be translated fairly directly to inductive n-ary predicates 
in systems supporting the proof-theoretic view. In the type-theoretic framework 
underlying Beluga, inductive predicates relating contexts correspond to recursive 
data types indexed by contexts; this also allows for a straightforward translation. 
Twelf’s type theoretic framework, however, is not rich enough to support inductive 
definitions. 


4.2 Language for Theorems and Directives 

While the elements of an ORBI specification detailed in the previous subsection 
were relatively easy to define in a manner that is well understood by all the differ¬ 
ent systems we are targeting, we illustrate in this subsection those elements that 
are harder to describe uniformly due to the different treatment and meaning of 
contexts in the different systems. 


Theorems We list the grammar for theorems in Fig. [4] Our reasoning language in¬ 
cludes a category prp that specifies the logical formulas we support. The base pred¬ 
icates include false, true, term equality, atomic predicates of the form id {ctx}, 
which are used to express context relations, and predicates of the form [ctx I - J], 



32 


Amy P. Felty et al. 


which represent judgments of an object language within a given context. Connec¬ 
tives and quantifiers include implication, conjunction, disjunction, universal and 
existential quantification over terms, and universal quantification over context vari- 


ables. 






thm 

::= "theorem 

" id 

prp "." 



P r P 

::= id {ctx} 



(* 

Context relation *) 


1 " [" ctx 

"I-- 

id {term} "]" 

(* 

Judgment in a context *) 


1 term "=" 

term 


(* 

Term equality *) 


1 false 



(* 

Falsehood *) 


1 true 



(* 

Truth *) 


1 prp 

prp 


(* 

Conjunction *) 


1 prp "||" 

prp 


(* 

Disjunction *) 


1 prp 

prp 


(* 

Implication *) 


1 quantif 

prp 


(* 

Quantification *) 

quantif 

::= "{" id " 

: " s_ 

Ld "}" 

(* 

universal over contexts *) 


I "{" id " 

tp 


(* 

universal over terms *) 


I "<" id " 

tP 

M > ii 

(* 

existential over terms *) 


Fig. 4 ORBI Grammar for Theorems 

The specification of the G and R versions of the completeness theorem is as 
follows: 

theorem ceqG: {G:daG]- [G |- deq M N] -> [G |- aeq M N] . 

theorem ceqR: {G: xdGj-fH: xaGI daR G H -> [G |- deq M N] -> [H |- aeq M N] . 

This and all the others theorems pertaining to the development of the meta¬ 
theory of algorithmic and declarative equality are listed in the Theorems section 
of Appendix [B] The theorems stated are a straightforward encoding of the main 
theorems in Subsections 13.1113.31 and Ed 

As mentioned, we do not type-check theorems; in particular, we do not define 
the meaning of [ctx I - J] , since several interpretations are possible. In Beluga, 
every judgment J must be meaningful within the given context ctx; in particular, 
terms occurring in the judgment J must be meaningful in ctx. As a consequence, 
both parametric and hypothetical assumptions relevant for establishing the proof 
of J must be contained in ctx. Instead of the local context view adopted in Beluga, 
Twelf has one global ambient context containing all relevant parametric and hy¬ 
pothetical assumptions. Systems based on proof-theory such as Hybrid and Abella 
distinguish between assumptions denoting eigenvariables (i.e. parametric assump¬ 
tions), which live in a global ambient context and proof assumptions (i.e. hypthet- 
ical assumptions), which live in the context ctx. While users of different systems 
understand how to interpret [ctx I - J] , reconciling these different perspectives 
in ORBI is beyond the scope of this paper. Thus for the time being, we view the¬ 
orem statements in ORBI as a kind of comment , where it is up to the user of a 
particular system to determine how to translate them. 


Directives As we have mentioned before, directives are comments that help the 
ORBI2X tools to generate target r epresentations of t he ORBI specifications. The 
idea is reminiscent of what Ott ( Sewell et a 1 l20ld) does to customize certain 
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declarations, e.g. the representation of variables, to the different programming 
languages/proof assistants it supports. The grammar for directives is listed in 
Fig. 0 

dir : := sy_id what decl {dest} ’.’ 

I sepr ’.’ 

sy_id ::= hy I ab I bel I tw 

sy_set ::= ’[’ sy_id {’,’ sy_id} ’]’ 

what ::= wf I explicit I implicit 

dest : := ’in’ ctx I ’in’ s_id I ’in’ id 

sepr ::= Syntax I Judgments I Rules I Schemas I Definitions 

I Directives I Theorems 

Fig. 5 ORBI Grammar for Directives 


Most of the directives that we consider in this version of ORBI are dedicated 
to help the translations into proof-theoretical systems, although we include also 
some to facilitate the translation of theorems to Beluga. The set of directives is not 
intended to be complete and the meaning of directives is system-specific. Beyond 
directives (sepr) meant to structure ORBI specs, the instructions wf and explicit 
are concerned with the asymmetry in the proof-theoretic view between declarations 
that give typing information, e.g. tm:type, and those expressing judgments, e.g. 
aeq:tm -> tm -> type. In Abella and Hybrid, the former may need to be reified 
in a judgment, in order to show that judgments preserve the well-formedness of 
their constituents, as well as to provide induction on the structure of terms; yet, 
in order to keep proofs compact and modular, we want to minimize this reification 
and only include them where necessary. The first line in the Directives section of 
Appendix [B] states the directive [hy,ab] wf tm” that refers to the first line of 
the Syntax section where tm is introduced, and indicates that we need a predicate 
(e.g., is_tm) to express well-formedness of terms of type tm. Formulas expressing 
the definition of this predicate are automatically generated from the declarations 
of the constructors app and lam with their types. 

The keyword explicit indicates when such well-formedness predicates should 
be included in the translation of the declarations in the Rules section. For example, 
the following formulas both represent possible translations of the ae_l rule to 
Abella and Flybrid: 

VM, N. (Vat is_tm x —> aeq x x —> aeq Mx Nx) —} aeq (lam M) (lam N) 

VM, N. (Vat aeq x x -A aeq Mx Nx) -A aeq (lam M ) (lam N) 

where the typing information is explicit in the first and implicit in the second. 
By default, we choose the latter, that is well-formed judgments are assumed to be 
implicit , and require a directive if the former is desired. In fact, in the previous 
section, we assumed that whenever a judgment is provable, the terms in it are 
well-formed, e.g., if aeq M N is provable, then so are is_tm M and is_tm N. Such 
a lemma is indeed provable in Abella and Hybrid from the implicit translation 
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of the rules for aeq. Proving a similar lemma for the deq judgment, on the other 
hand, requires some strategically placed explicit well-formedness information. In 
particular, the two directives 

% [hy,ab] explicit x in de_l. 

% [hy,ab] explicit M in de_r. 

require the clauses de_l and de_r to be translated to the following formulas: 

VM, N. (Vx. is_tm x —> deq x x —> deq Mx Nx) —> deq (lam M) (lam N) 

VM. is_tm M —> aeq M M 

The case for schemas is analogous: in the proof-theoretic view, schemas are 
translated to unary inductive predicates. Again, typing information is left implicit 
in the translation unless a directive is included. For example, the xaG schema 
with no associated directive will be translated to a definition that expresses that 
whenever context G has schema xaG, then so does G,aeq x x. For the daG schema, 
with directive 

"/• [hy,ab] explicit x in daG. 

the translation will express that whenever G has schema daG, then so does 
G, (is_tm x;deq x x;aeq x x). 

Similarly, directives in context relations, such as: 

"/• [hy,ab] explicit x in G in xaR. 

also state which well-formedness annotations to make explicit in the translated 
version. In this case, when translating the definition of xaR in the Definitions 
section, they are to be kept in G, but skipped in H. 

Keeping in mind that we consider the notion of directive open to cover other 
benchmarks and different systems, we offer some speculation about directives that 
we may need to translate theorems for the examples and systems that we are 
considering. (Speculative directives are omitted from Appendix [Bj. For example, 
theorems ref 1G is proven by induction over M. As a consequence, M must be explicit. 

7, [hy,ab,bel] explicit M in H in reflG. 

Hybrid and Abella interpret the directive by adding an explicit assumption 
[H h is_tm M], as illustrated by the result of the translation: 

WH, M. [H h is_tm M] -A [H h aeq M M] 

In Beluga, the directive is interpreted as 

{H:xaG} {M: [H. trn] } [H. aeq (M . .) (M . . ) J . 

where M will have type tm in the context H. Moreover, since the term M is 
used in the judgment aeq within the context H, we associate M with an identity 
substitution (denoted by ..). In short, the directive allows us to lift the type 
specified in ORBI to a contextual type which is meaningful in Beluga. In fact, 
Beluga always needs additional information on how to interpret terms—are they 
closed or can they depend on a given context? For translating symG for example, 
we use the following directive to indicate the dependence on the context: 

7, [bel] implicit M in H in symG. 

% [bel] implicit N in H in symG. 
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4.3 Guidelines 

In addition, we introduce a set of guidelines for ORBI specification writers, with 
the goal of helping translators generate output that is more likely to be accepted 
by a specific system. ORBI 0.1 includes four such guidelines, which are motivated 
by the desire not to put too many constraints in the grammar rules. First, as we 
have seen in our examples, we use as a convention that free variables which denote 
schematic variables in rules are written using upper case identifiers; we use lower 
case identifiers for eigenvariables in rules. Second, while the grammar does not 
restrict what types we can quantify over, the intention is that we quantify over 
types of level-0, i.e. objects of the syntax level, only. Third, in order to more 
easily accommodate systems without dependent types, Pi should not be used 
when writing non-dependent types. An arrow should be used instead. (In LF, 
for example, A -> B is an abbreviation for Pi x:A.B for the case when x does not 
occur in B. Following this guideline means favoring this abbreviation whenever it 
applies.) Fourth, when writing a context (grammar ctx), distinct variable names 
should be used in different blocks. 


5 Related Work 


Our approach to structuring cont exts o f assumpt ions takes its inspiration from 
Martin-Lof’s theory of judgments jMartin-Lof. . especially in the way it has 

been realized in Edinburgh LF ( Harper et al . 119931) . However, our formulation 
owes more to Beluga’s type theory, where contexts are first-class ci tizens, than 
to the notion of reg ular world in Twelf. The latter w as introduced in ISchiirmannl 
1 2000h . and used inlSchiirmann and Pfenning! (|2f)03|l for the meta-theory of Twelf 


and in JMomigliano 


for different purposes. It was further explicated in 


lHarper and Licatal ( 200'^V s review of Twelf’s methodology, but its treatment re- 


mained unsatisfactory since the notion of worlds is extra-logical. Recent work 
( Wang and Nadathur . l2013ll on a logical rendering of Twelf’s totality checking 
has so far been limited to closed objects. 

The creation and sharing of a library of benchmarks has proven to be very 
ben eficial to the field it represents. The brightest example is TPTP l Sutcliffe! 
l2009l) . whose influence on the development, testing and evaluation of automated 
theorem provers cannot be underestimated. Clearly our ambitions are much more 
li mited . We have also ta ken some inspiration from its higher-order extension THFO 
( Benzmiiller et all l2008|j . in particular in its construction in stages. 

The success of TPTP h as spurned other bench mark suites in related subjects, 
see for example SATLIB ( Hops and StiitzlS 120001) : however, the only one con¬ 
cerned with induction is the Induction Challenge Problems (http: //www. cs .nott. ac . uk/~ lad/re search/challenges ), 
a collection of examples geared to the automation of inductive proof. The bench¬ 
marks are taken from arithmetic, puzzles, functional programming specifications 
etc. and as such have little connection with our endeavor. On the other hand both 

Twelf’s wiki (http: //twelf . org/wiki/Case_studies ), Abella’s library (http: //abella-prover. org/examples ) 
and Beluga’s distribution contain a set of context-intensive examples, some of 
which coincide with the ones presented here. As such they are prime candidates 
to be included in ORBI. 
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Other projects have put forward LF as a common ground: Logosphere’s goal 
(http: //www. logosphere . org ) was the design of a representation language for log¬ 
ical formalisms, individual theories, and proofs, with an interface to other theorem 
proving system s that were somewh at connected, but the project never material¬ 
ized. SASyLF ( Aldrich et al 12008 1 originated as a tool to teach programming 
language theory: the user specifies the syntax, judgments, theorems and proofs 
thereof (albeit limited to closed objects) in a paper-and-pencil HOAS-friendly way 
and the system converts them to totality-checked Twelf code. The capability to 
express and share proofs is of obvious interest to us, although such proofs, being a 
literal proof verbalization of the corresponding Twelf type family, are irremediably 
verbose. 

WhyS (http://why3.lri.fr) is a software verification platform that intends 
to provide a front-end to third-party theorem provers, from proof assistants such 
as Coq to SMT-solvers. To this end Why3 provides a first-order logic with rank-1 
polymorp hism, recursive definitions, algebraic data types and inductive predicates 
( Filliatra |2013|) . whose specifications are then translated in the several systems 
that Why3 supports. Typically, those translations are forgetful, but sometimes, 
e.g., with respect to Coq, they add some annotations, for example to ensure non¬ 
emptiness of types. Although we are really not in the same business as Why3, 
there are several ideas that are relevant, such as the notion of a driver , that 
is, a configuration file to drive transformations specific to a system. Moreover, 

Why3 provides an API for users to write and implement their own drivers and 
transfor mations. _ 

Ott ( Sewell et all l2Qloll is a highly engineered tool for “working semanticists,” 
allowing them to write programming language definitions in a style very close to 
paper-and-pen specifications; then those are compiled into and, more inter¬ 

estingly, into proof assistant code, currently supporting Coq, Isabelle/HOL and 
HOL. Ott’s metalanguage is endowed with a rich theory of binders, but at the mo¬ 
ment it favors the “concrete” (non a-quotiented) representation, while providing 
support for the nameless representation for a single binder. Conceptually, it would 
be natural to extend Ott to generate ORBI code, as a bridge for Ott to support 
HOAS-based systems. Conversely, an ORBI user would benefit from having Ott as 
a front-end, since the latter notion of grammar and judgment seems at first sight 
general enough to support the notion of schema and context relation. 

In the category of environments for programming language des criptions, we _ 

ment ion PLT-Redex ( Felleisen et all . [200flh and also the K framework ( R.osu and Serbanutal . 
l201Clh . In both, several large-scale language descriptions have been specified and 
tested. However, none of those systems has any support for binders, let alone 
context specifications, nor can any meta-theory be carried out. 

Finally, there is a whole research area dedicated to the handling and sharing 
of mathematical content (MMK http://www.mkm-ig.org) and its representation 
(OMDoc https://trac.omdoc.org/OMDoc), which is only very loosely connected 
to our project. 


6 Conclusion and Future Work 

We have presented an initial set of benchmarks that highlight a variety of differ¬ 
ent aspects of reasoning within a context of assumptions. We have also provided 
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an infrastructure for formalizing these benchmarks in a variety of HOAS-based 
systems, and for facilitating their comparison. We have developed a framework 
for expressing contexts of assumptions as structured sequences, which provides 
additional structure to contexts via schemas and characterizes their basic proper¬ 
ties. Finally, we have designed (the initial version of) the ORBI (Open challenge 
problem Repository for systems supporting reasoning with Binders) specification 
language, and created an open repository of specifications, which initially contains 
the benchmarks introduced in this paper. 

Selecting a small set of benchmarks has an inherent element of arbitrariness. 
The reader may complain that there are many other features and issues not covered 
in Sect. H We agree and we mention some additional categories, which we could 
not discuss in the present paper for the sake of space, but which will (eventually) 
make it into the ORBI repository: 


One of the weak spots of most current HOAS-based systems is the lack of li¬ 
braries, built-in data-types and related decision procedures: for example, case 
studies involving calculi of explicit substitutions require a small corpus of arith¬ 
metic facts, that, albeit trivial, still need to be (re)proven, while they could be 
automatically discharged by decision procedures such as Coq’s omega @ 

There are also specifications that are functional in nature, such as those that 
descend through the structure of a lambda term, say counting its depth, the 
number of bound occurrences of a given variable etc.; most HO AS systems 
would encode those functions relationally, but this entails again the additional 
proof obligations of proving those relations total and deterministic. 

In the benchmarks that we have presented all blocks are composed of atoms, but 
th ere are n a tural specifications, to wit the solution to the PoplMark challenge 
in [Pientkal ( 20071) . where contexts have more structure, as they are induced 
by third-order specifications. For example, the rule for subtyping universally 
quantified types introduces a non-atomic assumption about transitivity, of the 
form: 


{a:tp}({U:tp} {V:tp} sub a U —> sub U V —> sub a V). 

Proofs by logical relations typically require, in order to define reducibility 
candidates, inductive definitions and strong function spaces, i.e., a function 
space that does not only model binding. A direct encodings of those proofs 
is out of reach for systems su ch as Twelf, although indirect encodings exist 
( Schiirmann and Sarnatl . 120081) . Other systems, such as Beluga and Abella, are 
wel l capable of encod i ng su ch pr oofs, but dif f er in how this is accomplished, 
see ICave and Pientkal ( 2014)) and iGacek et all ( 20121) . 

Finally, a subject that is gaining importance is the encoding of infinite be¬ 
havior, typically realized via some form of co-induction. Conte xt-intensive case 
studies have been explored for example in iMomigliano . (2012). 


One of the outcomes of our framework for expressing contexts of assumptions is 
the unified treatment of all weakening/strengthening/exchange re-arrangements, 
via the rm and perm operations. This opens the road to a lattice-theoretic view of 
declarations and contexts, where, roughly, x A y holds iff x can be reached from y 


9 Case in point, the strong normalization proof for the A a calculus in Abella, see 
http://abella-prover.org/examples/lambda-calculus/exsub-sn/ , 15% of which consists of 
basic facts about addition. 
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by some rm operation: a generalized context will be the join of two contexts and 
context relations can be identified by navigating the lattice starting from the join 
of the to-be-related contexts. We plan to develop this view and use it to convert 
G proofs into R. and vice versa, as a crucial step towards breaking the proof/type 
theory barrier. 


The description of ORBI given in Sect. [4] is best thought of as a stepp ing stone 
towa rds a more comprehensive specification language, much as THFO ( Benzmtiller et all 
120081) has been extended to the more expressive formalism THFi, adding for in¬ 
stance, rank 1 polymorphism. Many are the features that we plan to provide in the 
near future, starting from general (monotone) (co)inductive definitions; currently 
we only relate contexts, while it is clearly desirabl e to re late a rbitrary wel l -typed 
terms, as shown for example in ICave and Pientkal (l2012f) and iGacek et all ( 201 2|j 
with respect to normalization proofs. Further, it is only natural to support infi¬ 
nite objects and behavior. However, full support for (co)induction is a complex 
matter, as it essentially entails fully understanding the relationship between the 
proof-theory behind Abella and Hybrid and the type theory of Beluga. Once this 
is in place, we can “rescue” ORBI theorems from their current status as comments 
and even include a notion of proof in ORBI. 


Clearly, there is a significant amount of implementation work ahead, mainly 
on the ORBI2X tools side, but also on the practicalities of the benchmark suite. 
Finally, we would like to open up the repository to other styles of specification 
such nominal, locally nameless etc. 
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A Overview of Benchmarks 

In this appendix, we provide a quick reference guide to some of the key elements of the 
benchmark problems discussed in Section [3] In the tables below, ULC (STLC) stands for 
the untyped (simply-typed) lambda-calculus, and POLY stands for the polymorphic lambda 
calculus. The entry “same” means that there is no difference between the R and G version of 
the theorem because there is only one context involved. 


A.l A Recap of Benchmark Theorems 


Theorem 

Thm No. Version 

Page 

aeq-reflexivity for ULC 

El 

R 

ED 

aeq-reflexivity for ULC 

El 

G 

E3 

aeq-symmetry and transitivity for ULC 

[TO] 

same 

EH 

atp-reflexivity for POLY 

Ull 

G 

EU 

aeq-reflexivity for POLY 

m 

G 

m 

atp-reflexivity for POLY 


R. 

ESI 

aeq-reflexivity for POLY 

E3 

R. 

ED 

aeq/deq-completeness for ULC 

DU 

G 

EH 

aeq/deq-completeness for ULC 

m 

R. 

m 

type uniqueness for STLC 

EH 

same 

EH 

type preservation for parallel reduction for STLC 

m 

R. 

E3 

aeq-parallel substitution for ULC 

ESI 

same 

El 

A.2 A Recap of Schemas and Their Usage 

Context Schema Block 


Description 

/Used in: 


<Z>a 

S a 

is_tp a 

type variables 

&x 

Sx 

is_tm x 

term variables 

&OLX 

Sax 

is_tp a + is_tm x 

type/term variables 

&et 

Set 

is_tp a + is_tm x ; x\T 

type-checking for POLY 

<Pxa 

Sxa 

is_tm x\ aeq x x 

Thm [8] 1 101 and 1231 

^ atp 

Satp 

is_tp a ; atp a a 

Thmllll 

Qaeq 

Saeq 

is_tp a; atp a a. + is_tm x\ aeq x x 

Thin H3l 

Fda 

Sda 

is_tm x\ deq x x\ aeq x x 

Thm 1191 

xd 

Sxd 

is_tm x\ deq x x 

Thm|22| 


St 

is_tm x ; oft x A 

Thm 1241 

<P r 

S r 

is_tm x-,x^x 

Thml26l 


A.3 A Recap of the Main Context Relations and Their Usage 


Relation Related Blocks Used in: 

& x ~ &XCL is_tm x ~ (is_tm x; aeq x x) Thin [7] 

&OL ~ &atp is_tp a ^ (is_tp a; atp a o) Thm [T4l 

<Pax ~ @ 0 £q &x ~ &xa plus <P a ~ <Patp Thm QT] 

<P X a ~ &XCL (is_tm x ; aeq x x) ~ (is_tm x\ deq x x) Thm f22l 

<P r ~ &t (is_tm x; x x) ~ (is_tm x\x:A) Thm [26l 


B ORBI Specification of Algorithmic and Declarative Equality 

The following ORBI specification provides a complete encoding of the example of algorithmic 
vs. declarative equality used in Subsections imroi and 13.41 
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'll Syntax 
tm: type. 

app: tm -> tm -> tm. 
lam: (tm -> tm) -> tm. 

# /o°/ 0 Judgment s 

aeq: tm -> tm -> type. 

deq: tm -> tm -> type. 

'll Rules 

ae_a: aeq Ml N1 -> aeq M2 N2 -> aeq (app Ml M2) (app N1 N2). 
ae_l: ({x:tm} aeq x x -> aeq (M x) (N x)) 

-> aeq (lam (\x. M x)) (lam (\x. N x)). 

de_a: deq Ml N1 -> deq M2 N2 -> deq (app Ml M2) (app N1 N2). 
de_l: ({x:tm} deq x x -> deq (M x) (N x)) 

-> deq (lam (\x. M x)) (lam (\x. N x)). 
de_r: deq M M. 

de_s: deq Ml M2 -> deq M2 Ml. 

de_t: deq Ml M2 -> deq M2 M3 -> deq Ml M3. 

II Schemas 

schema xG: block (x:tm). 

schema xaG: block (x:tm; u:aeq x x). 

schema xdG: block (x:tm; u:deq x x). 

schema daG: block (x:tm; u:deq x x; v:aeq x x). 

'll Definitions 

inductive xaR : {G:xG} {H:xaG} prop = 

I xa_nil: xaR nil nil 

I xa_cons: xaR G H -> xaR (G, block x:tm) (H, block x:tm; u:aeq x x). 

inductive daR : {G:xdG} {H:xaG} prop = 

I da_nil: daR nil nil 

I da_cons: daR G H -> daR (G, block x:tm; v:deq x x) 

(H, block x:tm; u:aeq x x). 


'll Theorems 

theorem reflG: {H:xaG} {M:tm} [H |- aeq M M]. 

theorem symG: {H:xaG}{M:tm}{N:tm} [H |- aeq M N] -> [H |- aeq N M]. 
theorem transG: {H:xaG}{M:tm}{N:tm}{L:tm} 

[H | - aeq M N] & [H I - aeq N L] -> [H I - aeq M L] . 
theorem ceqG: {G:daG} [G |- deq M N] -> [G |- aeq M N]. 
theorem substG: {H:xaG}{Ml:tm->tm}{M2:tm}{Nl:tm}{N2:tm} 

[H, block x:tm; aeq x x |- aeq (Ml x) (M2 x)] & [H I - aeq N1 N2] -> 

[H |- aeq (Ml Nl) (M2 N2)]. 

theorem reflR : {G:xG}{H:xaG}{M:tm} xaR G H -> [H |- aeq M M]. 

theorem ceqR: {G:xdG}{H:xaG} daR G H -> [G |- deq M N] -> [H |- aeq M N]. 
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Directives 
[hy,ab] wf tm. 
[hy,ab] explicit 
[hy,ab] explicit 
[hy,ab] explicit 
[hy,ab] explicit 
[hy,ab] explicit 
[hy,ab] explicit 
[hy,ab] explicit 


x 

M 

x 

x 

X 

X 

X 


in de_l. 
in de_r. 
in xG. 
in xdG. 
in daG. 
in G in xaR. 
in G in daR. 





